WLC ACL - Management

Hi,
Has anyone been able to configure restrictive access to the Management interface? I created an ACL that specifies our Management VLAN and set the action to "permit". I then added this ACL to the management interface, but I'm still able to login from any IP. The WLC is running 4.2.176.0 and to my knowledge there are no known bugs related to this. Thank you.
-John

Hi Adnan,
you have to apply this ACL as a CPU ACL. Then it will work.
For your reference:
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109669-secure-wlc.html#t4
Hope that helps...
Kind regards
Philip
--> Pls rate useful responses <--

Similar Messages

  • Block IPs from accessing WLC web management

    Hi all,
    I have tried using access control list to block certain IPs from accessing WLC web management. I apply the ACL to interface management, but it seems like no effect at all.
    How can I block or permit some IPs so only certain IPs can access WLC web management ?
    Thanks in advance.

    I need deal with this matter also... So here's what I found:
    - you must use CPU acls - interface acls won't do what you want;
    - it appears that once you use an acl, you must explicitly define each type of traffic you want to allow, since an implicit deny all action occurs.
    I'm working on trying to restrict admin access to controllers in order address policy compliance matters. I'm disappointed at the lack of better documentation and practical examples on acls...
    If anyone can shed some light on this topic I think two of us would appreciate it...

  • ACL Manager Cache ...

    Hi all,
    do you thing that ACL Manager Cache could cause following?
    In one moment two users see different ACL of  some document. Even after refresh IE. After a few minutes it is all right (i.e. both can see same ACL).
    Thanks and Regards
    Zbynek

    Hi,
    I never came accross this problem, but looks like a cache issue.
    So check the ACL Security Manager cache settings:
    http://help.sap.com/saphelp_nw70/helpdata/EN/10/e276b47541654c83f349a1964c8d0c/frameset.htm
    You should check the Default Time-to-Live setting and reduce it if this is too high.
    Regards,
    Praveen Gudapati

  • WLC 5508 management interface

    Hi, I have a particular wireless design that requires one WLC 5508 to be connected to two seperate swithces. Port 1 of WLC is connected trunk to Switch A and Port 2 of WLC is connected to Switch B. Each switch has its own local VLANS. When I connect 1130s LAPs they need to find the management interface initially and then use only AP management interfaces. since there is only one management interface, if I assign management interface on a vlan that is configured on switch A then APs on switch A join fine but those on switch B keep asking for management interface and from capwap debug on WLC it says that join request was received on wrong ineterface ....
    the only work around to this was to make routing between switch A and switch B for the two vlans on which APs reside... but for security purposes - client would like to avoid this
    any help much appreciated ..

    Hi thanks for your reply,
    Yes I agree perfectly with your explanation - On both switches I have UDP forward for 5246 and 5247 and everything works fine.
    You understood exactly what's happening for initial discovery the Guest AP asks for managemnt interface through WLC port 2 but managerment IP is on admin side WLC port 1 and then it drops packet saying that it was received on the wrong port. In fact that is why I put an ACL between the Admin switch and guest switch taht allows only 5426 capwap control - just to allow that initial discovery from guest AP to contact Management interface which can only be assigned to one port and in my case it is on the admin switch side. And that is why I had to make a route between the two independent switches.
    My question is to know if there is any other way with my given design to eliminate this initial discovery to the management inetrface, as my client would like the admin and guest switches to be completely seperated i.e. without the routing. Is there any way that the guest APs can make contact with the AP management interface on their side only skipping the discovery of the management interface ? the guest APs were primed on the admin side so they know the IP. After the initial discovery, if I remove the routing between admin and guest switch, guest APs keep their connectivity without any problems.

  • WLC ACL For Internet Access Only

    I've implemented  Cicso ISE 3495's with the advanced subscription license.  I've built my policy sets, and authorization profiles.  It all works great!  Here's the issue that I'm having.  I have internal employees who bring in their own devices (BYOD).  I want to allow them onto the secured SSID that I've created, but only want to give them access to the intra/internet.  I've created an ACL (EmpInternetOnly) on the WLC.  Here are my rules:
    I can get to the intranet, with no issue (ACL lines 1-4).  I can't get to the internet whatsoever.  I see everything falling down to the deny statement.  When I remove the deny statement (ACL line 14), and put a permit all, then the internet works with no issue.  Am I missing something here?  I've researched this topic on several message boards, but can't find an answer.  I've tried to run the acl debug, on the controller, but do not see any output when I run it.  It might be because I don't understand the proper format of how to set it up.  Any and all replies would be much appreciated!  Thanks!
    Steve

  • WLC ACL Problem

    Hi all,
    I'm having problems when trying to apply an ACL to my WLC dynamic interfaces. I have three WLANs that I wish to keep separated and am using ACLs that I have configured on the controller, the only problem is they don't seem to work!
    Ping test from 10.201.32.11 on WLAN1 to 10.201.27.41 on WLAN2 works and the current ACL is below:
         1 Out     10.201.32.0/255.255.252.0       10.201.24.0/255.255.252.0    Any     0-65535     0-65535  Any   Deny           0
         2  In     10.201.24.0/255.255.252.0       10.201.32.0/255.255.252.0    Any     0-65535     0-65535  Any   Deny           0
         3 Out     10.201.32.0/255.255.252.0       10.201.28.0/255.255.255.0    Any     0-65535     0-65535  Any   Deny           0
         4  In     10.201.28.0/255.255.255.0       10.201.32.0/255.255.252.0    Any     0-65535     0-65535  Any   Deny           0
         5 Out     10.201.32.0/255.255.252.0     192.168.200.0/255.255.255.224  Any     0-65535     0-65535  Any   Deny           0
         6  In   192.168.200.0/255.255.255.224     10.201.32.0/255.255.252.0    Any     0-65535     0-65535  Any   Deny           0
         7 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0          Any     0-65535     0-65535  Any Permit          69
     DenyCounter : 0
    Each WLAN is sat on its own separate dynamic interface and own unique subnet.
    Any suggestions would be most appreciated.
    Thanks.

    Hi,
    Keep in mind the direction of the ACL.
    In means from client destined  to WLC
    Out means from WLC destined to client.
    It should look like this:
    Index  Dir       IP Address/Netmask              IP Address/Netmask        Prot    Range       Range    DSCP  Action      Counter
         1  In     10.201.32.0/255.255.252.0       10.201.24.0/255.255.252.0    Any     0-65535     0-65535  Any   Deny           0
         2 Out     10.201.24.0/255.255.252.0       10.201.32.0/255.255.252.0    Any     0-65535     0-65535  Any   Deny           0
    Don't forget to apply the ACL on interface or on WLAN.
    Regards,
    Christos.

  • How can you see what the WLC ACL is denying?

    How can you see what the acl on our WLC5508 is denying? The counter keeps on going up but what is getting blocked is nowhere to be seen.

    You are right but you can monitor that through the hits counts on the (WLC)Security->Access crontrol list === Hits
    It will give you some idea for trouble shooting also you have the cmd line for details analysis.

  • Cisco 4400 - 100 WLC ap manager IP address

    I am going to implement a Cisco 4400-100 WLC. I need it to manage 100 Cisco LWAPP AP's
    Can this be done with one AP Manager IP address?
    Is it recommended to have the AP manager and manager address on the same subnet?
    How many of the 4 fibre connectors need to be used to manage 100 AP's?
    Mark Cronin

    ok, you have 2 options one is work with AP MANAGER interfaces and the other is to work with LAG, whe LAG is enable you just need one AP MANAGER interface becouse the LAG makes the redundancy and load balancing function.
    checkout this link:
    http://cisco.com/en/US/docs/wireless/technology/controller/deployment/guide/dep.html
    In this section:
    Using Link Aggregation (LAG)

  • WLC 2006 Management interface

    I have my WLC configured as follows:
    management intf - 10.10.254.42
    ap-manager intf - 10.10.254.41
    Both are untagged, and the switch port has the native vlan set to 1.
    However, I am unable to reach either address from any other subnet. What gives?

    Hi Friend,
    Can you ping your gateway from your controller? Can you ping this controller from anywhere in your network if you TAG the interfaces instead on untagg?
    Regards,
    Ankur

  • Wlc 5508 management interface vlan - access point vlan

    Is it required that the access points are in the same vlan as the management interface on a wlc 5508?

    There is a story behind this .. Just yesterday my guy was like "aps wont join" .. I let him hammer away at it .. It was the check box
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • LWAPP, WLC RF management

    I have been looking at the LWAPPs and was curious if manual RF management is possible? I ask because i am concerned about the possibility of an automatic process extending a cell to the outside of my physical facility. I am not by any means referring to possible overlapping of cells, my concern is simply around the system pushing the cell size to extend beyond the physical site thus exposing the network to a higher risk.
    My readings seem to harp on the automatic recovery if an AP should fail.. This is an excellent feature to ensure up time. However in certain situations i see an AP increasing in power to compensate for a failed AP and going across the parking lot...
    So simple question, with LWAPP can you have manual RF settings per AP? =)
    I know Huffman will read this, so hey bud! =P

    Robert:
    You can manage both RF channel and power settings for individual LWAPs manually.
    Typically, Cisco does not encourage this but it can be done.
    Also, you can have some LWAPs be automatic and others be manual.
    Drill down into an AP entry and click on the WLC and click on the config link.
    You will see dropdowns that permit you to force the RF power and/or channel settings manually.
    Note: Instead of the mWatt or dBi settings that you may be used to seeing in the autonomous version of the APs, the power settings will have a value of "1" for full power, "2" for half power, "3" for 1/4 power, etc.
    I hope this is helpful.
    - John

  • WLC 5508 - management frames without DSCP marking

    hello,
    we are facing an issue that our wireless lan controller (5508 with version 7.6.100) doesn´t mark management frames (e.g. reassociation repsonse - necessary for roaming) with CS6. therefore some of them are dropped leaving the clients not to roam...
    does anybody have an idea? in my view it can only be a biug because it´s noit possible to reconfigure this....
    thx

    we are seeing managemt frames getting marked on Wism. i strongly believe they were marked in the past also on 5508. moreover frames are getting marked when they arinitiated by the AP
    if we trust CoS frames are getting marked because it contains the dot1p tag. the switch generates the dscp-value out of it. but we want to trust dscp. 
    we see also a very strange behaviour when trusting COS that sometimes a reassociation request has dot1p value 2 and the next one has 5. so it seems that the tag is there, but not working properly.
    changing to CoS in general would mean testing the whole infrastructure for voip over wireless lan again. and i don´t want to do that

  • WLC 5508 Management Interface Connection

    I'm setting up a new 5508.  I've used the config from a 4402, have successfully connected to the Service port to manage the device, but for some reason cannot connect to the Management interface.  In this case, port 1.
    The service port is connected to a Catalyst switch and grabbed an ip address (10.2.x.x subnet) no problem.  I can access the 5508 via https using the SP.  However, port 1 is connected to the same Catalyst switch, but on a different vlan (subnet 10.20.x.x).  Both ends show that the interfaces are up, I can ping the interface from any other host on the network, but when I try to manage the device via https I cannot connect.  We are using WCS and I cannot add the device from the WCS.  About all I can do is ping that interface.
    I've probably overlooked something very basic, but I'm baffled.

    Thanks for the reply.
    No, definitely not that.  I have all of those enabled.  I have the SP connected to another vlan on the same switch and can manage through that port(https, telnet).  I've tried about every combination of trunk port, access port, etc.  I'm beginning to suspect the GBICs (10baseT), but both ends show that I am connected at 1000 and I can ping the ip address of the management interface.

  • WLC ACL blocks internet only on Nook tablet

    Win7 laptops work fine. Nook gets IP but No internet.  ACL is on the Controller and even if I remove all rules and permit any/any, still no internet on Nook.  If I take ACL off, Nook gets internet.  I have googled this & can’t find anything.  Anyone ever come across this?  4404 running 1142 APs.

    The nooks IP is 10.33.64.11 & Barnes & Noble is 65.204.48.9
    Without ACL:
    609          41.490916000          65.204.48.9          10.33.64.111          TCP          60          https > 57580 [RST, ACK] Seq=1 Ack=1 Win=5204 Len=0
    610          41.490988000          65.204.48.9          10.33.64.111          TCP          128          https > 57580 [RST, ACK] Seq=1 Ack=1 Win=5204 Len=0
    582          35.100123000          65.204.48.9          10.33.64.111          TCP          60          https > 53596 [RST, ACK] Seq=1 Ack=1 Win=5613 Len=0
    583          35.100201000          65.204.48.9          10.33.64.111          TCP          128          https > 53596 [RST, ACK] Seq=1 Ack=1 Win=5613 Len=0
    With ACL
    109          18.001621000          Cisco_18:1c:03          PVST+          STP          64          Conf. Root = 4096/1/00:0a:b7:18:1c:00  Cost = 0  Port = 0x8003
    110          18.426866000          Barnes&N_0d:eb:d3          Cisco_e8:63:f0          802.11          146          Probe Request, SN=339, FN=0, Flags=...P...., SSID=WDC-Guest-TestLab
    111          18.432880000          Barnes&N_0d:eb:d3          Cisco_e8:63:f0          802.11          146          Probe Request, SN=340, FN=0, Flags=...P...., SSID=WDC-Guest-TestLab
    112          19.515568000          Cisco_58:6b:40          Broadcast          ARP          60          Who has 192.168.107.1?  Tell 192.168.107.100

  • Reconfiguring WLC's Management Interface Gateway

    Dears
    I am trying to change gateway which was previously configured wrong.But facing error.Below is command which i am using and error facing.
    configure interface address managent IP-ADDRESS SUBNETMASK GATEWAY
    "Request failed - Active WLAN using interface. Disable WLAN first

    WLANs can be disabled in two ways; CLI or GUI.
    CLI
    config wlan disable
    or GUI
    WLAN tab
    Click a Profile Name
    Uncheck the "Enable" checkbox
    Apply

Maybe you are looking for

  • How do I BUMP videos with my 4S like the Galaxy commercial?

    My Phone is not a phone and I didn't buy my iPhone 4S 'just to make plain old phone calls'. My iPhone 4S, Jacked into my Fiio E17/Bose AE2 is my home entertainment center when traveling. Siri is my Personal Assistant making appointments, finding loca

  • Display workorder   only related to   vendor selected in Vendor  name UDF

    Hi , I am using SAP 2007 PL 18 , In a Goods Issue Form I am  created two UDF 1) Vendor Name 2)  Work Order Nos .   Here queries related  Workorder No. Display workorder   only related to particular  vendor selected in Vendor name UDF  . Pl provide me

  • B2B 11G questions

    Hi B2BGurus, Can anyone explain us with below questions, Here i am giving our scenario and my questions Scenarion: Div A FTP-> SOA-->B2B OutboundCoustome queue ---> B2B---->Http or HTTPs(AS2) or FTP(As2) Div B FTP-> SOA-->B2B OutboundCoustome queue -

  • IPhoto thumbnails disappear - missing photos

    iPhoto crashed a few days ago, and I had to rebuild the library. After this was done, my events were all out of order but the photos were still in tact. However, there were about 100 photos in one event that were missing. They were represented by bla

  • Implementing  jdbc using jsp and servlets

    please give me documnetation and few programs with code . implementing or using jdbc with servlets and jsp.